<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>PowerMemory (RWMC Tool)</title>
    <link rel="stylesheet" type="text/css" href="common/style.css" />
    <script language="JavaScript" type="text/javascript" src="common/script.js"></script>
  </head>
  <body>
    <h1 class="title">PowerMemory (RWMC Tool)</h1>
      <h2 class="toc"><a href="#toc" class="collapse" id="a-toc" onclick="showhide('toc');">-</a> <a name="toc">Table of Contents</a></h2>
        <div class="toc" id="div-toc">
          <ul>
            <li><a href="#Summary">Tool Overview</a></li>
            <li><a href="#ExecCondition">Tool Operation Overview</a></li>
            <li><a href="#Findings">Information Acquired from Log</a></li>
            <li><a href="#SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></li>
            <li><a href="#KeyEvents">Main Information Recorded at Execution</a></li>
            <li><a href="#SourceDetails">Details: Source Host</a></li>
            <li><a href="#ADDetails">Details: Domain Controller</a></li>
            <li><a href="#Notes">Remarks</a></li>
          </ul>
          <p class="toc_command"><a href="#" onclick="collapseall('s');">Open all sections</a> | <a href="#" onclick="collapseall('h');">Close all sections</a></p>
          <hr class="section_divider" />
        </div>
      <h2 class="section"><a href="#Summary" class="collapse" id="a-Summary" onclick="showhide('Summary');">-</a> <a name="Summary">Tool Overview</a></h2>
        <div class="section" id="div-Summary">
          <dl class="table">
            <dt class="table">Category</dt>
              <dd class="table">Password and Hash Dump</dd>
            <dt class="table">Description</dt>
              <dd class="table">Acquires authentication information existing in files and memory.</dd>
            <dt class="table">Example of Presumed Tool Use During an Attack</dt>
              <dd class="table">This tool is used to log on to the other hosts by using acquired authentication information.</dd>
          </dl>
        </div>
      <h2 class="section"><a href="#ExecCondition" class="collapse" id="a-ExecCondition" onclick="showhide('ExecCondition');">-</a> <a name="ExecCondition">Tool Operation Overview</a></h2>
        <div class="section" id="div-ExecCondition">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">Item</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Destination Host</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border_header">OS</td>
                <td class="border">Windows</td>
                <td class="border">Windows Server</td>
              </tr>
              <tr class="border">
                <td class="border_header">Belonging to Domain</td>
                <td class="border" colspan="2">Required</td>
              </tr>
              <tr class="border">
                <td class="border_header">Rights</td>
                <td class="border">Administrator</td>
                <td class="border">Standard user</td>
              </tr>
              <tr class="border">
                <td class="border_header">Communication Protocol</td>
                <td class="border" colspan="2">88/tcp, 135/tcp, 445/tcp, high port/tcp, HTTP to the Microsoft symbol servers</td>
              </tr>
              <tr class="border">
                <td class="border_header">Service</td>
                <td class="border">Workstation</td>
                <td class="border">Active Directory Domain Services</td>
              </tr>
            </tbody>
          </table>
        </div>
      <h2 class="section"><a href="#Findings" class="collapse" id="a-Findings" onclick="showhide('Findings');">-</a> <a name="Findings">Information Acquired from Log</a></h2>
        <div class="section" id="div-Findings">
          <dl class="table">
            <dt class="table">Standard Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (Prefetch)</li>
                  <li>Details of the script/command executed (Windows 10 only. They are recorded in &quot;Microsoft-Windows-PowerShell/Operational&quot; and C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
                  </ul></li>
                </ul></dd>
            <dt class="table">Additional Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (audit policy, Sysmon)</li>
                  <li>Details of the script/command executed (when Windows Management Framework 5.0 is installed on Windows 7. They are recorded in Microsoft-Windows-PowerShell/Operational and C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.)</li>
                  </ul></li>
                </ul></dd>
          </dl>
        </div>
      <h2 class="section"><a href="#SuccessCondition" class="collapse" id="a-SuccessCondition" onclick="showhide('SuccessCondition');">-</a> <a name="SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></h2>
        <div class="section" id="div-SuccessCondition">
          <ul>
            <li>Source Host: The Event ID: 4104 is recorded in the event log &quot;Microsoft-Windows-PowerShell/Operational&quot;, and its content includes a PowerMemory script (Windows 10, or when Windows Management Framework 5.0 is installed on Windows 7).</li>
            <li>Domain Controller: There is evidence that the files &quot;C:\Windows\Temp\msdsc.exe&quot; and &quot;lsass.dmp&quot; were created.</li>
          </ul>
        </div>
      <h2 class="section"><a href="#KeyEvents" class="collapse" id="a-KeyEvents" onclick="showhide('KeyEvents');">-</a> <a name="KeyEvents">Main Information Recorded at Execution</a></h2>
        <div class="section" id="div-KeyEvents">
          <h3 class="subsection"><a href="#KeyEvents-Source" class="collapse" id="a-KeyEvents-Source" onclick="showhide('KeyEvents-Source');">-</a> <a name="KeyEvents-Source">Source Host</a></h3>
            <div class="section" id="div-KeyEvents-Source">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Security</td>
                      <td class="border">4656</td>
                      <td class="border">File System/Other Object Access Events</td>
                      <td class="border">A handle to an object was requested.<ul>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                        <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name (under [Execution Path to Tool]\[Date and Time]. A log file and so on are left here.)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                      <td class="border">4104</td>
                      <td class="border">Execute a Remote Command.</td>
                      <td class="border">Creating Scriptblock text.<ul>
                        <li><span class="strong">Message</span>: The content of the script executed. The content of a PowerShell script executed is recorded as is (&apos;Start-Process -FilePath powershell.exe -ArgumentList &quot;-ExecutionPolicy Bypass -File .\RWMC\[PowerShell Script Tool] 0&quot;&apos;).</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">Security</td>
                      <td class="border">4663</td>
                      <td class="border">File System</td>
                      <td class="border">An attempt was made to access an object.<ul>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData, WRITE_DAC)</li>
                        <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\[Date and Time]\lsass.dmp)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">5</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (source host)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (domain controller ports: 88, 135, and 445, high port)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">6</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create. Thereafter, the operation did not complete in this environment.<ul>
                        <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                        <li><span class="strong">CurrentDirectory</span>: Work directory (path to the tool)</li>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe [Option])</li>
                        <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -ExecutionPolicy Bypass -File .\RWMC\[PowerShell Script Tool] 0)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        <li><span class="strong">Image</span>: Path to the executable file ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>Prefetch</h4>
                <ul>
                  <li>C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf</li>
                  <li>C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf</li>
                </ul>
            </div>
          <h3 class="subsection"><a href="#KeyEvents-AD" class="collapse" id="a-KeyEvents-AD" onclick="showhide('KeyEvents-AD');">-</a> <a name="KeyEvents-AD">Domain Controller</a></h3>
            <div class="section" id="div-KeyEvents-AD">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (domain controller ports: 88, 135, and 445, high port)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\temp\msdsc.exe lsass c:\windows\temp)</li>
                        <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Temp\msdsc.exe)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Security</td>
                      <td class="border">5145</td>
                      <td class="border">Detailed File Share</td>
                      <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (WriteData or AddFile)</li>
                        <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\C$)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                        <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (windows\temp\msdsc.exe)</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">Security</td>
                      <td class="border">5145</td>
                      <td class="border">Detailed File Share</td>
                      <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including READ_CONTROL, SYNCHRONIZE, ReadData or ListDirectory, ReadEA, and ReadAttributes)</li>
                        <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\C$)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                        <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (windows\temp\lsass.dmp)</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">5</td>
                      <td class="border">Security</td>
                      <td class="border">4656</td>
                      <td class="border">File System/Other Object Access Events</td>
                      <td class="border">A handle to an object was requested.<ul>
                        <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\Temp\msdsc.exe)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Temp\lsass.dmp)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">6</td>
                      <td class="border">Security</td>
                      <td class="border">5145</td>
                      <td class="border">Detailed File Share</td>
                      <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including SYNCHRONIZE, ReadAttributes, WriteAttributes, and DELETE)</li>
                        <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\C$)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                        <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (windows\temp\msdsc.exe)</li>
                        <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#SourceDetails" class="collapse" id="a-SourceDetails" onclick="showhide('SourceDetails');">-</a> <a name="SourceDetails">Details: Source Host</a></h2>
        <div class="section" id="div-SourceDetails">
          <h3 class="subsection"><a href="#SourceDetails-USNJournal" class="collapse" id="a-SourceDetails-USNJournal" onclick="showhide('SourceDetails-USNJournal');">-</a> <a name="SourceDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-SourceDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="3">1</td>
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">POWERSHELL.EXE-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">2</td>
                    <td class="border">WMIPRVSE.EXE-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">WMIPRVSE.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">WMIPRVSE.EXE-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-EventLogs" class="collapse" id="a-SourceDetails-EventLogs" onclick="showhide('SourceDetails-EventLogs');">-</a> <a name="SourceDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-SourceDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="3">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain name)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                    <td class="border">40961</td>
                    <td class="border">PowerShell Console Startup</td>
                    <td class="border">The PowerShell console is starting up.</td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">2</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                    <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Details</span>: Setting value written to the registry (Binary Data)</li>
                    <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="5">3</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">11</td>
                  <td class="border">File created (rule: FileCreate)</td>
                  <td class="border">File created.<ul>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetFilename</span>: Created file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">2</td>
                  <td class="border">File creation time changed (rule: FileCreateTime)</td>
                  <td class="border">File creation time changed.<ul>
                    <li><span class="strong">UtcTime</span>: Date and time the change occurred (UTC)</li>
                    <li><span class="strong">CreationUtcTime</span>: New timestamp (UTC)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">PreviousCreationUtcTime</span>: Old timestamp (UTC)</li>
                    <li><span class="strong">TargetFilename</span>: Name of the changed file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="3">4</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="3">5</td>
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].temp)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="4">6</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">11</td>
                  <td class="border">File created (rule: FileCreate)</td>
                  <td class="border">File created.<ul>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetFilename</span>: Created file (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms~RF[RANDOM].TMP)</li>
                    <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4656</td>
                  <td class="border">File System/Other Object Access Events</td>
                  <td class="border">A handle to an object was requested.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms~RF[RANDOM].TMP)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4663</td>
                  <td class="border">File System</td>
                  <td class="border">An attempt was made to access an object.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\[RANDOM].customDestinations-ms~RF[RANDOM].TMP)</li>
                    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4658</td>
                  <td class="border">File System</td>
                  <td class="border">The handle to an object was closed.<ul>
                    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">7</td>
                  <td class="border">Security</td>
                  <td class="border">4703</td>
                  <td class="border">Token Right Adjusted Events</td>
                  <td class="border">A token right was adjusted.<ul>
                    <li><span class="strong">Disabled Privileges</span>: Disabled privileges (-)</li>
                    <li><span class="strong">Target Account &gt; Security ID/Account Name/Account Domain</span>: Target user SID/Account name/Domain</li>
                    <li><span class="strong">Target Account &gt; Logon ID</span>: Session ID of the target user</li>
                    <li><span class="strong">Enabled Privileges</span>: Enabled privileges (SeDebugPrivilege)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Process Information &gt; Process ID</span>: ID of the executed process</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the executed process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Security</td>
                  <td class="border">4703</td>
                  <td class="border">Token Right Adjusted Events</td>
                  <td class="border">A token right was adjusted.<ul>
                    <li><span class="strong">Disabled Privileges</span>: Disabled privileges (SeDebugPrivilege)</li>
                    <li><span class="strong">Target Account &gt; Security ID/Account Name/Account Domain</span>: Target user SID/Account name/Domain</li>
                    <li><span class="strong">Target Account &gt; Logon ID</span>: Session ID of the target user</li>
                    <li><span class="strong">Enabled Privileges</span>: Enabled privileges (-)</li>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Process Information &gt; Process ID</span>: ID of the executed process</li>
                    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the executed process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">8</td>
                  <td class="border">Security</td>
                  <td class="border">4673</td>
                  <td class="border">Sensitive Privilege Use</td>
                  <td class="border">A privileged service was called.<ul>
                    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                    <li><span class="strong">Process &gt; Process ID</span>: ID of the process that used the privilege</li>
                    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                    <li><span class="strong">Service Request Information &gt; Privilege</span>: Privilege used (SeCreateGlobalPrivilege)</li>
                    <li><span class="strong">Process &gt; Process Name</span>: Process that used the privilege (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="1">9</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">10</td>
                  <td class="border">Process accessed (rule: ProcessAccess)</td>
                  <td class="border">Process accessed.<ul>
                    <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                    <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                    <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x40)</li>
                    <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                    <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\Explorer.EXE)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <td class="border" rowspan="2">10</td>
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">13</td>
                  <td class="border">Registry value set (rule: RegistryEvent)</td>
                  <td class="border">Registry value set.<ul>
                    <li><span class="strong">EventType</span>: Process type (SetValue)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">Details</span>: Setting value written to the registry (QWORD)</li>
                    <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe)</li>
                    </ul></td>
                </tr>
                <tr class="border">
                  <!-- rowspan -->
                  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                  <td class="border">12</td>
                  <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
                  <td class="border">Registry object added or deleted.<ul>
                    <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
                    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
                    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                    <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps)</li>
                    </ul></td>
                </tr>
              <tr class="border">
                <td class="border" rowspan="11">11</td>
                <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                <td class="border">11</td>
                <td class="border">File created (rule: FileCreate)</td>
                <td class="border">File created.<ul>
                  <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                  <li><span class="strong">TargetFilename</span>: Created file (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)</li>
                  <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                  </ul></td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Security</td>
                <td class="border">4656</td>
                <td class="border">File System/Other Object Access Events</td>
                <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Security</td>
                <td class="border">4663</td>
                <td class="border">File System</td>
                <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].ps1)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Security</td>
                <td class="border">4658</td>
                <td class="border">File System</td>
                <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                <td class="border">11</td>
                <td class="border">File created (rule: FileCreate)</td>
                <td class="border">File created.<ul>
                  <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                  <li><span class="strong">TargetFilename</span>: Created file (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)</li>
                  <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                  </ul></td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Security</td>
                <td class="border">4656</td>
                <td class="border">File System/Other Object Access Events</td>
                <td class="border">A handle to an object was requested.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                  </ul></td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Security</td>
                <td class="border">4663</td>
                <td class="border">File System</td>
                <td class="border">An attempt was made to access an object.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Temp\[RANDOM].psm1)</li>
                  <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Security</td>
                <td class="border">4658</td>
                <td class="border">File System</td>
                <td class="border">The handle to an object was closed.<ul>
                  <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                  <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                  <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                  <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                  <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                  </ul></td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Microsoft-Windows-PowerShell/Operational</td>
                <td class="border">53504</td>
                <td class="border">PowerShell Named Pipe IPC</td>
                <td class="border">Windows PowerShell has started an IPC listening thread on process [Process ID] of the [Domain].</td>
            </tr>
            <tr class="border">
              <!-- rowspan -->
              <td class="border">Microsoft-Windows-PowerShell/Operational</td>
              <td class="border">40962</td>
              <td class="border">PowerShell Console Startup</td>
              <td class="border">PowerShell console is ready for user input</td>
          </tr>
          <tr class="border">
            <!-- rowspan -->
            <td class="border">Microsoft-Windows-PowerShell/Operational</td>
            <td class="border">40961</td>
            <td class="border">PowerShell Console Startup</td>
            <td class="border">The PowerShell console is starting up.</td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="1">12</td>
          <td class="border">Microsoft-Windows-Sysmon/Operational</td>
          <td class="border">13</td>
          <td class="border">Registry value set (rule: RegistryEvent)</td>
          <td class="border">Registry value set.<ul>
            <li><span class="strong">EventType</span>: Process type</li>
            <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Explorer.EXE)</li>
            <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
            <li><span class="strong">Details</span>: Setting value written to the registry (Binary Data)</li>
            <li><span class="strong">TargetObject</span>: Registry value at the write destination (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="3">13</td>
          <td class="border">Security</td>
          <td class="border">4656</td>
          <td class="border">File System/Other Object Access Events</td>
          <td class="border">A handle to an object was requested.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4663</td>
          <td class="border">File System</td>
          <td class="border">An attempt was made to access an object.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf)</li>
            <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4658</td>
          <td class="border">File System</td>
          <td class="border">The handle to an object was closed.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="3">14</td>
          <td class="border">Security</td>
          <td class="border">4656</td>
          <td class="border">File System/Other Object Access Events</td>
          <td class="border">A handle to an object was requested.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4663</td>
          <td class="border">File System</td>
          <td class="border">An attempt was made to access an object.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt)</li>
            <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4658</td>
          <td class="border">File System</td>
          <td class="border">The handle to an object was closed.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <td class="border" rowspan="3">15</td>
          <td class="border">Security</td>
          <td class="border">4656</td>
          <td class="border">File System/Other Object Access Events</td>
          <td class="border">A handle to an object was requested.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4663</td>
          <td class="border">File System</td>
          <td class="border">An attempt was made to access an object.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[User Name]\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive)</li>
            <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
            <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
        <tr class="border">
          <!-- rowspan -->
          <td class="border">Security</td>
          <td class="border">4658</td>
          <td class="border">File System</td>
          <td class="border">The handle to an object was closed.<ul>
            <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
            <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
            <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
            <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
            <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
            </ul></td>
        </tr>
      <tr class="border">
        <td class="border" rowspan="1">16</td>
        <td class="border">Microsoft-Windows-Sysmon/Operational</td>
        <td class="border">12</td>
        <td class="border">Registry object added or deleted (rule: RegistryEvent)</td>
        <td class="border">Registry object added or deleted.<ul>
          <li><span class="strong">EventType</span>: Process type (CreateKey)</li>
          <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
          <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
          <li><span class="strong">TargetObject</span>: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)</li>
          </ul></td>
      </tr>
      <tr class="border">
        <td class="border" rowspan="3">17</td>
        <td class="border">Microsoft-Windows-Sysmon/Operational</td>
        <td class="border">1</td>
        <td class="border">Process Create (rule: ProcessCreate)</td>
        <td class="border">Process Create.<ul>
          <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
          <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
          <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
          <li><span class="strong">CurrentDirectory</span>: Work directory (C:\Windows\system32)</li>
          <li><span class="strong">CommandLine</span>: Command line of the execution command (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -ExecutionPolicy Bypass -File .\RWMC\[PowerShell Script Tool] 0)</li>
          <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
          <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
          <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
          <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
          <li><span class="strong">User</span>: Execute as user</li>
          <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
          <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
          </ul></td>
      </tr>
      <tr class="border">
        <!-- rowspan -->
        <td class="border">Security</td>
        <td class="border">4688</td>
        <td class="border">Process Create</td>
        <td class="border">A new process has been created.<ul>
          <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation (Mandatory Label\High Mandatory Level)</li>
          <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool ([Host Name]$)</li>
          <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
          <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain name)</li>
          <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
          <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
          <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
          <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
          <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
          </ul></td>
      </tr>
      <tr class="border">
        <!-- rowspan -->
        <td class="border">Microsoft-Windows-PowerShell/Operational</td>
        <td class="border">40961</td>
        <td class="border">PowerShell Console Startup</td>
        <td class="border">The PowerShell console is starting up.</td>
    </tr>
<tr class="border">
  <td class="border" rowspan="2">18</td>
  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
  <td class="border">5</td>
  <td class="border">Process terminated (rule: ProcessTerminate)</td>
  <td class="border">Process terminated.<ul>
    <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
    <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
    </ul></td>
</tr>
<tr class="border">
  <!-- rowspan -->
  <td class="border">Security</td>
  <td class="border">4689</td>
  <td class="border">Process Termination</td>
  <td class="border">A process has exited.<ul>
    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
    <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
    <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
    <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
    </ul></td>
</tr>
<tr class="border">
  <td class="border" rowspan="4">19</td>
  <td class="border">Microsoft-Windows-PowerShell/Operational</td>
  <td class="border">40961</td>
  <td class="border">PowerShell Console Startup</td>
  <td class="border">The PowerShell console is starting up.</td>
</tr>
<tr class="border">
<!-- rowspan -->
<td class="border">Microsoft-Windows-PowerShell/Operational</td>
<td class="border">53504</td>
<td class="border">PowerShell Named Pipe IPC</td>
<td class="border">Windows PowerShell has started an IPC listening thread on process [Process ID] of the [Domain].</td>
</tr>
<tr class="border">
<!-- rowspan -->
<td class="border">Microsoft-Windows-PowerShell/Operational</td>
<td class="border">40962</td>
<td class="border">PowerShell Console Startup</td>
<td class="border">PowerShell console is ready for user input</td>
</tr>
<tr class="border">
<!-- rowspan -->
<td class="border">Microsoft-Windows-PowerShell/Operational</td>
<td class="border">4104</td>
<td class="border">Execute a Remote Command.</td>
<td class="border">Creating Scriptblock text.<ul>
<li><span class="strong">Message</span>: The content of the script executed. The content of a PowerShell script executed is recorded as is (&apos;Start-Process -FilePath powershell.exe -ArgumentList &quot;-ExecutionPolicy Bypass -File .\RWMC\[PowerShell Script Tool] 0&quot;&apos;).</li>
</ul></td>
</tr>
                  <tr class="border">
                    <td class="border" rowspan="1">20</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file ([Execution Path to Tool]\[Date and Time])</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">21</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file ([Execution Path to Tool]\[Date and Time]\Log_[Date and Time].log)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Execution Path to Tool]\[Date and Time]\Log_[Date and Time].log)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">22</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory (C:\Windows\system32)</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\System32\wbem\wmiprvse.exe -secured -Embedding)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (System)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to the parent process that created the new process (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">23</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">24</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (135)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (135)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">25</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (135)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (135)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">26</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">27</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">28</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">29</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (135)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (135)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
  <tr class="border">
    <td class="border" rowspan="3">30</td>
    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
    <td class="border">3</td>
    <td class="border">Network connection detected (rule: NetworkConnect)</td>
    <td class="border">Network connection detected.<ul>
      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5158</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5156</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="3">31</td>
    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
    <td class="border">3</td>
    <td class="border">Network connection detected (rule: NetworkConnect)</td>
    <td class="border">Network connection detected.<ul>
      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5158</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5156</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="3">32</td>
    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
    <td class="border">3</td>
    <td class="border">Network connection detected (rule: NetworkConnect)</td>
    <td class="border">Network connection detected.<ul>
      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5158</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5156</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="3">33</td>
    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
    <td class="border">3</td>
    <td class="border">Network connection detected (rule: NetworkConnect)</td>
    <td class="border">Network connection detected.<ul>
      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
      <li><span class="strong">DestinationPort</span>: Destination port number (445)</li>
      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5158</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (445)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5156</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (445)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="3">34</td>
    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
    <td class="border">3</td>
    <td class="border">Network connection detected (rule: NetworkConnect)</td>
    <td class="border">Network connection detected.<ul>
      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5158</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (88)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5156</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="3">35</td>
    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
    <td class="border">3</td>
    <td class="border">Network connection detected (rule: NetworkConnect)</td>
    <td class="border">Network connection detected.<ul>
      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5158</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">5156</td>
    <td class="border">Filtering Platform Connection</td>
    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process</li>
      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="4">36</td>
    <td class="border">Security</td>
    <td class="border">4656</td>
    <td class="border">File System/Other Object Access Events</td>
    <td class="border">A handle to an object was requested.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, AppendData, and WRITE_DAC)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\[Date and Time]\lsass.dmp)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4663</td>
    <td class="border">File System</td>
    <td class="border">An attempt was made to access an object.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData, WRITE_DAC)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\[Date and Time]\lsass.dmp)</li>
      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4670</td>
    <td class="border">Authorization Policy Change</td>
    <td class="border">Permissions on an object were changed.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Audit Success</span>: Success or failure (change successful)</li>
      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\[Date and Time]\lsass.dmp)</li>
      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
      <li><span class="strong">Change permissions &gt; New security descriptor</span>: Security descriptor after the change (D:AI(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;[SID])</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">Change permissions &gt; Original security descriptor</span>: Security descriptor before the change (D:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;[SID])</li>
      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4658</td>
    <td class="border">File System</td>
    <td class="border">The handle to an object was closed.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="3">37</td>
    <td class="border">Security</td>
    <td class="border">4656</td>
    <td class="border">File System/Other Object Access Events</td>
    <td class="border">A handle to an object was requested.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\RWMC\bufferCommand.txt)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4663</td>
    <td class="border">File System</td>
    <td class="border">An attempt was made to access an object.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\RWMC\bufferCommand.txt)</li>
      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4658</td>
    <td class="border">File System</td>
    <td class="border">The handle to an object was closed.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="3">38</td>
    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
    <td class="border">1</td>
    <td class="border">Process Create (rule: ProcessCreate)</td>
    <td class="border">Process Create.<ul>
      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">CurrentDirectory</span>: Work directory (path to the tool)</li>
      <li><span class="strong">CommandLine</span>: Command line of the execution command ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe [Option])</li>
      <li><span class="strong">IntegrityLevel</span>: Privilege level</li>
      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -ExecutionPolicy Bypass -File .\RWMC\[PowerShell Script Tool] 0)</li>
      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
      <li><span class="strong">User</span>: Execute as user</li>
      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
      <li><span class="strong">Image</span>: Path to the executable file ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4688</td>
    <td class="border">Process Create</td>
    <td class="border">A new process has been created.<ul>
      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to the parent process that created the new process (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)</li>
      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)</li>
      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Microsoft-Windows-PowerShell/Operational</td>
    <td class="border">4104</td>
    <td class="border">Execute a Remote Command.</td>
    <td class="border">Creating Scriptblock text.<ul>
      <li><span class="strong">Message</span>: The content of the script executed. The content of the executed PowerShell script is recorded as is.</li>
      </ul></td>
  </tr>
<tr class="border">
  <td class="border" rowspan="4">39</td>
  <td class="border">Microsoft-Windows-Sysmon/Operational</td>
  <td class="border">11</td>
  <td class="border">File created (rule: FileCreate)</td>
  <td class="border">File created.<ul>
    <li><span class="strong">Image</span>: Path to the executable file ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)</li>
    <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
    <li><span class="strong">TargetFilename</span>: Created file ([Path to Tool]\RWMC\debugger\pre2r2vm\DBG0.tmp)</li>
    <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
    </ul></td>
</tr>
<tr class="border">
  <!-- rowspan -->
  <td class="border">Security</td>
  <td class="border">4656</td>
  <td class="border">File System/Other Object Access Events</td>
  <td class="border">A handle to an object was requested.<ul>
    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (DELETE, ReadAttributes)</li>
    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
    <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\RWMC\debugger\pre2r2vm\DBG0.tmp)</li>
    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)</li>
    <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
    </ul></td>
</tr>
<tr class="border">
  <!-- rowspan -->
  <td class="border">Security</td>
  <td class="border">4663</td>
  <td class="border">File System</td>
  <td class="border">An attempt was made to access an object.<ul>
    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
    <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
    <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\RWMC\debugger\pre2r2vm\DBG0.tmp)</li>
    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)</li>
    <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
    </ul></td>
</tr>
<tr class="border">
  <!-- rowspan -->
  <td class="border">Security</td>
  <td class="border">4660</td>
  <td class="border">File System</td>
  <td class="border">An object was deleted.<ul>
    <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
    <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
    <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
    <li><span class="strong">Object &gt; Object Name</span>: Target file name ([Path to Tool]\RWMC\debugger\pre2r2vm\DBG0.tmp)</li>
    <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle ([Path to Tool]\RWMC\debugger\pre2r2vm\cdb.exe)</li>
    <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
    <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
    </ul></td>
</tr>
  <tr class="border">
    <td class="border" rowspan="2">40</td>
    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
    <td class="border">5</td>
    <td class="border">Process terminated (rule: ProcessTerminate)</td>
    <td class="border">Process terminated.<ul>
      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
      <li><span class="strong">Image</span>: Path to the executable file ([Path to Tool]\debugger\pre2r2vm\cdb.exe)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4689</td>
    <td class="border">Process Termination</td>
    <td class="border">A process has exited.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file ([Path to Tool]\debugger\pre2r2vm\cdb.exe)</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      </ul></td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="3">41</td>
    <td class="border">Security</td>
    <td class="border">4656</td>
    <td class="border">File System/Other Object Access Events</td>
    <td class="border">A handle to an object was requested.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\CDB.EXE-[RANDOM].pf)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4663</td>
    <td class="border">File System</td>
    <td class="border">An attempt was made to access an object.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (WriteData or AddFile, AppendData)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\CDB.EXE-[RANDOM].pf)</li>
      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
      </ul></td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">Security</td>
    <td class="border">4658</td>
    <td class="border">File System</td>
    <td class="border">The handle to an object was closed.<ul>
      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
      </ul></td>
  </tr>
</tbody>
</table>
</div>
<h3 class="subsection"><a href="#SourceDetails-UserAssist" class="collapse" id="a-SourceDetails-UserAssist" onclick="showhide('SourceDetails-UserAssist');">-</a> <a name="SourceDetails-UserAssist">UserAssist</a></h3>
<div class="section" id="div-SourceDetails-UserAssist">
<table class="border">
<thead>
  <tr class="border">
    <th class="border_header">#</th>
    <th class="border_header">Registry Entry</th>
    <th class="border_header">Information That Can Be Confirmed</th>
  </tr>
</thead>
<tbody>
  <tr class="border">
    <td class="border" rowspan="1">1</td>
    <td class="border">\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkr</td>
    <td class="border">Date and time of the initial execution, Total number of executions</td>
  </tr>
</tbody>
</table>
</div>
<h3 class="subsection"><a href="#SourceDetails-MFT" class="collapse" id="a-SourceDetails-MFT" onclick="showhide('SourceDetails-MFT');">-</a> <a name="SourceDetails-MFT">MFT</a></h3>
<div class="section" id="div-SourceDetails-MFT">
<table class="border">
<thead>
  <tr class="border">
    <th class="border_header">#</th>
    <th class="border_header">Path</th>
    <th class="border_header">Header Flag</th>
    <th class="border_header">Validity</th>
  </tr>
</thead>
<tbody>
  <tr class="border">
    <td class="border" rowspan="1">1</td>
    <td class="border">[Drive Name]:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf</td>
    <td class="border">FILE</td>
    <td class="border">ALLOCATED</td>
  </tr>
  <tr class="border">
    <td class="border" rowspan="1">2</td>
    <td class="border">[Drive Name]:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf</td>
    <td class="border">FILE</td>
    <td class="border">ALLOCATED</td>
  </tr>
</tbody>
</table>
</div>
<h3 class="subsection"><a href="#SourceDetails-Prefetch" class="collapse" id="a-SourceDetails-Prefetch" onclick="showhide('SourceDetails-Prefetch');">-</a> <a name="SourceDetails-Prefetch">Prefetch</a></h3>
<div class="section" id="div-SourceDetails-Prefetch">
<table class="border">
<thead>
  <tr class="border">
    <th class="border_header">#</th>
    <th class="border_header">Prefetch File</th>
    <th class="border_header">Process Name</th>
    <th class="border_header">Process Path</th>
    <th class="border_header">Information That Can Be Confirmed</th>
  </tr>
</thead>
<tbody>
  <tr class="border">
    <td class="border" rowspan="2">1</td>
    <td class="border">C:\Windows\Prefetch\POWERSHELL.EXE-[RANDOM].pf</td>
    <td class="border">POWERSHELL.EXE</td>
    <td class="border">C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE</td>
    <td class="border">Last Run Time (last execution date and time)</td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">C:\Windows\Prefetch\WMIPRVSE.EXE-[RANDOM].pf</td>
    <td class="border">WMIPRVSE.EXE</td>
    <td class="border">C:\WINDOWS\SYSTEM32\WMIPRVSE.EXE</td>
    <td class="border">Last Run Time (last execution date and time)</td>
  </tr>
</tbody>
</table>
</div>
<h3 class="subsection"><a href="#SourceDetails-Registry" class="collapse" id="a-SourceDetails-Registry" onclick="showhide('SourceDetails-Registry');">-</a> <a name="SourceDetails-Registry">Registry Entry</a></h3>
<div class="section" id="div-SourceDetails-Registry">
<table class="border">
<thead>
  <tr class="border">
    <th class="border_header">#</th>
    <th class="border_header">Path</th>
    <th class="border_header">Type</th>
    <th class="border_header">Value</th>
  </tr>
</thead>
<tbody>
  <tr class="border">
    <td class="border" rowspan="2">1</td>
    <td class="border">\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe</td>
    <td class="border">QWORD</td>
    <td class="border">(QWORD value)</td>
  </tr>
  <tr class="border">
    <!-- rowspan -->
    <td class="border">\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps</td>
    <td class="border">Key</td>
    <td class="border">(No value to be set)</td>
  </tr>
</tbody>
</table>
</div>
</div>
      <h2 class="section"><a href="#ADDetails" class="collapse" id="a-ADDetails" onclick="showhide('ADDetails');">-</a> <a name="ADDetails">Details: Domain Controller</a></h2>
        <div class="section" id="div-ADDetails">
          <h3 class="subsection"><a href="#ADDetails-EventLogs" class="collapse" id="a-ADDetails-EventLogs" onclick="showhide('ADDetails-EventLogs');">-</a> <a name="ADDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-ADDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (135)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (135)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">2</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (135)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (135)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">3</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">4</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">5</td>
                    <td class="border">Security</td>
                    <td class="border">4768</td>
                    <td class="border">Kerberos Authentication Service</td>
                    <td class="border">A Kerberos authentication ticket (TGT) was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host IP address)</li>
                      <li><span class="strong">Account Information &gt; Supplied Realm Name</span>: Domain of the account</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810010)</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested</li>
                      <li><span class="strong">Additional Information &gt; Result Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      <li><span class="strong">Account Information &gt; User ID</span>: SID of the account</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">6</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">7</td>
                    <td class="border">Security</td>
                    <td class="border">4769</td>
                    <td class="border">A Kerberos service ticket was requested</td>
                    <td class="border">A Kerberos service ticket was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host IP address)</li>
                      <li><span class="strong">Account Information &gt; Account Domain</span>: Domain of the account</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810000)</li>
                      <li><span class="strong">Additional Information &gt; Error Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Service Information &gt; Service Name</span>: Ticket service name ([Domain Controller Host Name]$)</li>
                      <li><span class="strong">Account Information &gt; Logon GUID</span>: Session ID of the logon</li>
                      <li><span class="strong">Service Information &gt; Service ID</span>: SID of the service</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">8</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (135)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (135)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">9</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">10</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">11</td>
                    <td class="border">Security</td>
                    <td class="border">4769</td>
                    <td class="border">A Kerberos service ticket was requested</td>
                    <td class="border">A Kerberos service ticket was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host IP address)</li>
                      <li><span class="strong">Account Information &gt; Account Domain</span>: Domain of the account</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810000)</li>
                      <li><span class="strong">Additional Information &gt; Error Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Service Information &gt; Service Name</span>: Ticket service name ([Domain Controller Host Name]$)</li>
                      <li><span class="strong">Account Information &gt; Logon GUID</span>: Session ID of the logon</li>
                      <li><span class="strong">Service Information &gt; Service ID</span>: SID of the service</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">12</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">13</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">14</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">15</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory (C:\Windows\system32)</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\System32\wbem\wmiprvse.exe -secured -Embedding)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (System)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\system32\svchost.exe -k DcomLaunch)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">16</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (445)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (445)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">17</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">18</td>
                    <td class="border">Security</td>
                    <td class="border">4769</td>
                    <td class="border">A Kerberos service ticket was requested</td>
                    <td class="border">A Kerberos service ticket was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host IP address)</li>
                      <li><span class="strong">Account Information &gt; Account Domain</span>: Domain of the account</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810000)</li>
                      <li><span class="strong">Additional Information &gt; Error Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Service Information &gt; Service Name</span>: Ticket service name ([Domain Controller Host Name]$)</li>
                      <li><span class="strong">Account Information &gt; Logon GUID</span>: Session ID of the logon</li>
                      <li><span class="strong">Service Information &gt; Service ID</span>: SID of the service</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">19</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">20</td>
                    <td class="border">Security</td>
                    <td class="border">4769</td>
                    <td class="border">A Kerberos service ticket was requested</td>
                    <td class="border">A Kerberos service ticket was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host IP address)</li>
                      <li><span class="strong">Account Information &gt; Account Domain</span>: Domain of the account</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x60810000)</li>
                      <li><span class="strong">Additional Information &gt; Error Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Service Information &gt; Service Name</span>: Ticket service name ([Domain Controller Host Name]$)</li>
                      <li><span class="strong">Account Information &gt; Logon GUID</span>: Session ID of the logon</li>
                      <li><span class="strong">Service Information &gt; Service ID</span>: SID of the service</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">21</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">22</td>
                    <td class="border">Security</td>
                    <td class="border">5140</td>
                    <td class="border">File Sharing</td>
                    <td class="border">A network share object was accessed.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (ReadData or ListDirectory)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name used (\\*\IPC$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\IPC$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (winreg)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">23</td>
                    <td class="border">Security</td>
                    <td class="border">5140</td>
                    <td class="border">File Sharing</td>
                    <td class="border">A network share object was accessed.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including WriteData or AddFile)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name used (\\*\C$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (WriteData or AddFile)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\C$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (windows\temp\msdsc.exe)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Temp\msdsc.exe)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">24</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\NETWORK SERVICE)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">25</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">26</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">27</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\wbem\WmiPrvSE.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory (C:\Windows\system32)</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\temp\msdsc.exe lsass c:\windows\temp)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\Temp\msdsc.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\Temp\msdsc.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">28</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1FFFFF)</li>
                      <li><span class="strong">SourceImage</span>: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\windows\temp\msdsc.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">29</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\temp\msdsc.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Temp\lsass.dmp)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Temp\lsass.dmp)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\Temp\msdsc.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\Temp\msdsc.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\Temp\msdsc.exe)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">30</td>
                    <td class="border">Security</td>
                    <td class="border">4634</td>
                    <td class="border">Logoff</td>
                    <td class="border">An account was logged off.<ul>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">31</td>
                    <td class="border">Security</td>
                    <td class="border">5140</td>
                    <td class="border">File Sharing</td>
                    <td class="border">A network share object was accessed.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (ReadData or ListDirectory)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name used (\\*\C$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including READ_CONTROL, SYNCHRONIZE, ReadData or ListDirectory, ReadEA, and ReadAttributes)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\C$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (windows\temp\lsass.dmp)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">32</td>
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (including SYNCHRONIZE, ReadAttributes, WriteAttributes, and DELETE)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\C$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (windows\temp\msdsc.exe)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Temp\msdsc.exe)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Temp\msdsc.exe)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4660</td>
                    <td class="border">File System</td>
                    <td class="border">An object was deleted.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">33</td>
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Share path (\??\C:\)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (including DELETE)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\\*\C$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (WINDOWS\TEMP\LSASS.DMP)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x4)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (including DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Temp\lsass.dmp)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Temp\lsass.dmp)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4660</td>
                    <td class="border">File System</td>
                    <td class="border">An object was deleted.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#Notes" class="collapse" id="a-Notes" onclick="showhide('Notes');">-</a> <a name="Notes">Remarks</a></h2>
        <div class="section" id="div-Notes">
          <ul>
            <li>PowerShell is started multiple times (the first startup enables the script). Although a request for a handle for CustomDestinations or PSReadline, an update of Prefetch, and so on are performed each time PowerShell starts, description of such processes for the second time onward is omitted in this report.</li>
          </ul>
        </div>
  </body>
</html>
